Open source vulnerabilities vs Critical vulnerabilities internally developed in your application.
In now a day’s information security hasn’t been given so much attention as it should. Great examples of them are very commonly spoken as victims of cyber crime e.g.(Equifax , Door Dash, Facebook and you name the rest). Most of the vulnerabilities found on these sites it was just a matter of investing a little bit of time to find them if they are present. Like the case of the new zero day that just popped out for Vbulletin Forum software. Just below we have a simple URL that Vbulletin receives with a parameter vulnerable to RCE (Remote Code Execution). In this case the attacker uses an exploit that receives a php command called shell_exec via a parameter that the application itselfs allows that and can trigger OS commands. And by doing so if I input something there like to say for a Linux command cat /etc/passwd (view a file called passwd) as a param with the shell_exec command there will be a response from the server and I will be able to see anything on this file.
The one above is very simple to exploit. But now we must understand the impacts that this might bring to your company. Like stated, there are hundreds of not thousands of vulnerabilities (application layer only we are talking) that we can speak about. But what are the impacts that an Open Source vulnerability can bring towards your app vs a critical vulnerability that is programmed by your developers or even you?
Open Source Vulnerabilities
Open Source vulnerabilities are basically vulnerabilities well known for a software that is actively or not actively being used. As for an example the Jquery library which is one of the most used Javascript libraries, which as an example deals with event handling. For more information click here . If we access the database of known vulnerabilities like my favorite one the Common Vulnerability Exposure we will find the following vulnerabilities:
As you can see, they are pointing possible vulnerabilities for the library that thousands of developers are using in their code and without any prior knowledge to this. Even worst if they are not seeing this imagine the guys on top that do not have time for this. (CEO, CFO,COO, and so on). So now that we can see the vulnerabilities, there are tools which have modules that can exploit them with a simple execution trough a terminal like a Linux terminal. Below we have another example of the open source vulnerability that is being exploited as for example. Be advised that being open sourced is not directly and only when source code is displayed but vulnerabilities that where discovered without seeing or not any code what so ever. Below Metasploit is executing a module for Windows SMB vulnerability Eternal Blue. Remember WannaCry ransomware?
Above a tool that is very well known called Metasploit executing the module to exploit windows eternal blue SMB vulnerability. This vulnerability can trigger many things starting with accessing your files and even your webcam and most important if it’s a server retaining important information like company files, databases and so on that might not be good. What should we do with this now? The most important thing for open source vulnerabilities is to check all the dependencies that your code is using or so commonly speaking, third pary libraries on projects, and the best advise is to check the ones that are most exposed or deals with any type of critical data that has value to you company. Below is a file that the programming language called node.js uses. It’s called package.json that you may find all the dependencies and third-party libraries embedded and probably in use.
The key to this is simple. Normally if it’s an open source library they will make available an update so you can patch the vulnerability if exists. If you can, you may try to fix the vulnerability by yourself, but it may trigger more workload for you.
Vulnerabilities triggered by internal development.
Different from open source vulnerabilities it may be more difficult to find these vulnerabilities in your source code. Depending on the vulnerability of course. The most critical ones that I have seen are in the OWASP TOP 10 application vulnerabilities. Things such as RCE,SQL injection, XSS, XXE, CSRF and so on exists in applications and are very present in modern frameworks that are programmed to trigger certain actions. Like the Vbulletin vulnerability which to them was triggered internally was not that difficult to find, if the person has time to invest. Below we have an example of an SQL injection which your applications can have if the parameters are not validated correctly making it prone to happen that so instead of your database understanding that its data instead it will interpret it as Database commands.Which we found by Dynamically testing for. No worries the site lets us do this. And if you want to test it yourself click here.
If the attacker takes a look at the url he will see this.
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
Seeing the parameter being sent an attacker can understand that possibly in the backend this might be happening.
SELECT * FROM users WHERE id = ‘1’
So, if it’s a parameter that is being passed I may try to see if its accepting any illegal character like this one : ‘
Now instead of this (1) I have this:
SELECT * FROM users WHERE id = ‘’’
If its an a MYSQL DB normally it would complain that we would have an SQL syntax error like the below.
Error While Selection process : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’’’ at line 1
Now I may continue the logic now instead of having to put only an apostrophe I can concatenate with a query and see.
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' UNION SELECT 1,2,3 FROM information_schema.tables — l
And I get the below answer which means that the column that will show me the information is column 2 , which will show me what I want to know about a certain column of a certain table “users is my favorite by the way”.
Now just to summarize I can get any information I want I will use the following Query to get all the passwords.
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' UNION SELECT 1,password,3 FROM users — l
And I get this.
So, this is an example of a security vulnerability called SQL injection present in web applications now a days. This could be an open source vulnerability but just showing how this can be present an any site. To fix this we could use preparedStatments, regex and whitelists but I think the OWASP site can give you more details on that.
Whats my point?
Both are very critical regardless if there are open source or programmed by you. But Open source is very notable depending on which library you actually use but still there might be newly discovered vulnerabilities or so called zero-day exploits which you might or might not able to discover by yourself because they were not shown by the person who discovered it, and normally difficult to find. But if not shown, there is not much we can do. But rest assured the infosec community are very active and friendly to help us out when it comes to these pointing possible vulnerabilities like the VBulletins.
On the other hand. The vulnerabilities that are on your site or application is entirely up to you to find out. If you have tons of applications that you use you might need extra resources, like a manual code review a penetration testing or better yet a SAST to discover these vulnerabilities. There are a bunch a tools out there. I currently use Checkmarx CxSAST which is paid but the best one out there to find security vulnerabilities statically. But on the other hand there are Open Source SAST which with a little bit of research you may find. I wont publish any one here because there are basically only for certain languages so if I publish for Java I will being missing out all the others like python or javascript. But then again it may be difficult for the attacker to find out the ones you have in yout application. Thank you reading this article. Cheers !!!
